Bench active · EN ↔ TH · TEL +66 02-859-2145 · NDA from first email · 1-hour quote SLA
EN TH
Request RFP
COMPLIANCE · GDPR · DATA-PROCESSOR DISCIPLINE · EU → BANGKOK UNDER SCCs
Art 28 DPA · 72-hour breach notice · NDA from first email
★ GDPR-ALIGNED · DATA PROCESSOR · SCCs + TIA · ART 28 DPA · NDA-FIRST · PDPA-DOMICILED

GDPR. Processor-grade discipline, EU to Bangkok.

Othello International processes client documents that contain personal data — names, addresses, financial figures, identifiers — so the General Data Protection Regulation (Regulation (EU) 2016/679) is squarely in frame. Under Article 3, GDPR applies extraterritorially: a Bangkok firm processing the personal data of EU residents is in scope. Othello acts as a data processor on the client-controller’s documented instructions. Thailand holds no EU adequacy decision — so EU → Thailand transfers run on Standard Contractual Clauses plus a Transfer Impact Assessment and supplementary measures, not on a claim of adequacy Othello does not have. Article 28 DPA on request · NDA from first email · audit-trail retained Bangkok-side.

GDPR Effective
2018
Reg (EU) 2016/679 · 25 May
Transfer Mechanism
SCCs
2021/914 + TIA · EU→TH
Breach Notice
72h
Art 33 · without undue delay
Max Penalty
4% / €20M
Art 83 · global turnover
★ DATA-PROTECTION POSTURE · TRANSPARENT
Processor role. SCCs, not adequacy. One DPA, one audit-trail.
  • RoleData processor · on instruction
  • ScopeArt 3 · extraterritorial
  • EU→TH transferSCCs + TIA · not adequacy
  • ContractArt 28 DPA · on request
  • Breach72h · notify controller
  • DomicileThai PDPA · GDPR-aligned
  • ConfidentialityNDA from first email
★ The GDPR Posture · How A Bangkok Processor Stays Lawful

The posture, substantively. Six points that make EU-facing work lawful.

GDPR compliance for a translation and advisory firm is not a badge — it is a documented operating posture. Othello processes personal data inside client documents, so the questions that matter are: what role does Othello hold, what brings it into scope, how does data lawfully reach Bangkok, and what contract governs it. The six points below document the substantive posture.

POINT 01 · ROLE

Processor, not controller.

Othello acts as a data processor — it processes personal data on the documented instructions of the client, who is the controller. Othello does not determine the purposes of processing; it translates, edits, and advises on documents the client supplies. This role allocation is recorded in the engagement and the DPA, and it dictates the Article 28 obligations Othello accepts.

OthelloProcessor
ClientController
BasisDocumented instruction
POINT 02 · SCOPE

Extraterritorial. Article 3 reaches Bangkok.

GDPR applies regardless of where the processor sits. Under Article 3, processing the personal data of individuals in the EU brings a non-EU firm into scope. Othello does not treat its Bangkok domicile as an exemption — EU-facing engagements are run to GDPR standard. This is the honest reading: the regulation follows the data subject, not the processor’s postcode.

TriggerEU data subjects
ArticleArt 3
ExemptionNone claimed
POINT 03 · TRANSFER

SCCs + TIA. Not a claim of adequacy.

Thailand has no EU adequacy decision. So EU → Thailand transfers cannot rely on adequacy — they run on the modernised Standard Contractual Clauses (Decision (EU) 2021/914), accompanied by a Transfer Impact Assessment and documented supplementary measures. Othello will not pretend Thailand is “adequate” — it documents the actual lawful mechanism the regulation requires for a non-adequate third country.

AdequacyNone (TH)
MechanismSCCs 2021/914
PlusTIA + measures
POINT 04 · CONTRACT

Article 28 Data Processing Agreement.

Every EU-facing engagement can run under an Article 28 DPA. The DPA records the subject matter and duration of processing, the nature and purpose, the types of personal data and categories of data subject, and the controller’s instructions — plus Othello’s confidentiality, security, sub-processor, breach-notification, audit, and deletion obligations. The DPA is the instrument; SCCs sit inside it for the transfer.

InstrumentArt 28 DPA
ContainsSCCs · scope · duties
AvailableOn request
POINT 05 · BREACH

72-hour notification discipline.

As a processor, Othello’s obligation under Article 33 is to notify the controller without undue delay on becoming aware of a personal-data breach — so the controller can meet its own 72-hour supervisory-authority deadline. Othello maintains an incident-response procedure: detection, containment, assessment, controller notification, and documented remediation, with the event recorded in the audit-trail.

DutyNotify controller
WindowWithout undue delay
ArticleArt 33
POINT 06 · RIGHTS

Data-subject rights, facilitated.

Othello assists the controller in honouring data-subject rights — access, rectification, erasure, restriction, portability, and objection (Articles 15–21). As processor, Othello does not field requests directly from data subjects; it supports the controller’s response with prompt retrieval, correction, or deletion of the relevant material from Othello-controlled infrastructure, recorded in the audit-trail.

RightsArts 15–21
OthelloAssists controller
RecordedAudit-trail

WHY THE HONEST TRANSFER STORY MATTERS · Vendors that claim “GDPR compliant” without naming a transfer mechanism are hiding the hard part. For EU → Thailand, the hard part is the absence of adequacy — which is why SCCs + a Transfer Impact Assessment + supplementary measures are the real answer. Othello documents the mechanism rather than asserting a status it does not hold. See PDPA Compliance for the Thai-domicile counterpart.

★ Operating Practices · How The Posture Becomes Daily Discipline

Eight data-protection practices. Where the posture becomes operational.

A posture is only as good as the daily handling. The flagship practices are in-house processing and encryption — the two that most often distinguish institutional-grade handling from consumer-tier translation tools that quietly send client content to third-party endpoints.

PRACTICE 01 · FLAGSHIP

In-house processing

The flagship practice. Othello does not route substantive client content through consumer LLM endpoints or unscreened third-party tools. Personal data inside documents is processed within Othello-controlled infrastructure by the named bench. No silent data egress to free machine-translation services — the single most common GDPR failure in the translation market.

In-houseNo consumer LLMNo egress
PRACTICE 02 · FLAGSHIP

Encryption in transit & at rest

Personal data is encrypted in transit and at rest — a documented supplementary measure under the SCC transfer regime. Encryption with keys held by Othello is precisely the kind of technical measure a Transfer Impact Assessment calls for when the destination is a non-adequate third country. Secure transfer channels, not email attachments by default.

EncryptionIn transitAt rest
PRACTICE 03 · ACCESS

Least-privilege access control

Access to client documents is restricted to the named bench assigned to the engagement. Least-privilege controls mean a translator or editor sees only the material their role requires. Access is logged. Need-to-know is enforced, not assumed — a measure the TIA documents and the DPA records.

Least-privilegeLoggedNeed-to-know
PRACTICE 04 · MINIMISATION

Data minimisation & purpose limitation

Othello processes only the personal data the engagement requires, for only the purpose the controller instructs (Article 5 principles). Where a document can be pseudonymised or redacted without harming the translation, it is. No retention “just in case” — minimisation is the default, not the exception.

Art 5MinimisePurpose-limit
PRACTICE 05 · RETENTION

Retention & scheduled deletion

Source documents and deliverables are retained only for the agreed period, then securely deleted on schedule (Article 5 storage limitation). The retention window is set in the DPA. On engagement close or controller instruction, Othello deletes or returns the data and confirms deletion in writing, recorded in the audit-trail.

Storage limitSecure deleteConfirmed
PRACTICE 06 · SUB-PROCESSORS

Sub-processor screening & flow-down

Where a sub-processor is engaged, it is screened and bound by back-to-back obligations no weaker than Othello’s own (Article 28(4)). The controller is informed of sub-processors and may object. No undisclosed sub-processing — the same transparency discipline Othello applies to partner-routed language work.

Art 28(4)Flow-downDisclosed
PRACTICE 07 · BREACH RESPONSE

Incident-response procedure

A documented incident-response procedure governs detection, containment, assessment, and controller notification without undue delay (Article 33). The procedure assigns responsibility, sets timelines, and ends in remediation and a recorded post-incident review. The controller is notified in time to meet its own 72-hour deadline.

DetectContainNotify
PRACTICE 08 · RECORDS

RoPA & audit-trail

Othello maintains records of processing activities (Article 30) and a consolidated audit-trail per engagement — processing purpose, data categories, transfer mechanism, retention, deletion, and any incidents. Retained Bangkok-side and available to the controller for its own accountability and supervisory-authority obligations.

Art 30 RoPAAudit-trailAccountable

SUPPLEMENTARY MEASURES ARE THE POINT · After Schrems II, SCCs alone are not enough. The exporter must assess the destination and add measures — encryption, access control, minimisation, processing isolation — to bring protection up to EU-equivalent standard. The eight practices above are those supplementary measures, operationalised. See Our Process for the bench workflow they sit inside.

★ GDPR + PDPA · Two Regimes · One Discipline

GDPR and PDPA map closely — but they are not the same instrument.

Othello is domiciled in Thailand, so Thailand’s Personal Data Protection Act (PDPA) is its home regime; the GDPR applies to EU-facing engagements. The two are closely aligned — PDPA was modelled on GDPR — but the obligations attach differently. Othello runs one operating discipline that satisfies both, and names which regime governs which engagement.

★ THE TWO REGIMES · SIDE BY SIDE

One handling standard. Two regimes it answers to.

Where the data subject is in the EU/EEA, GDPR governs and the EU → Thailand transfer runs on SCCs + TIA. Where the data subject is in Thailand, PDPA governs directly. Many engagements touch both. Othello’s bench operates a single discipline — in-house processing, encryption, minimisation, retention control, breach response — calibrated to satisfy the stricter of the two on any given point. See PDPA Compliance for the Thai-domicile detail.

DIM 01
Origin.GDPR: Regulation (EU) 2016/679, effective 2018. PDPA: Thailand’s Personal Data Protection Act, fully effective 2022, modelled on GDPR.
DIM 02
When it governs.GDPR: EU/EEA data subjects (Art 3). PDPA: personal data processed in Thailand and Thai data subjects. Othello names which applies per engagement.
DIM 03
Roles.Both distinguish controller and processor with near-identical duties. Othello is the processor under either, on the client-controller’s documented instruction.
DIM 04
Cross-border transfer.GDPR: EU→TH needs SCCs + TIA (no adequacy). PDPA: its own cross-border rules. Othello documents the mechanism, never assumes free flow.
DIM 05
Data-subject rights.Both grant access, rectification, erasure, and objection. Othello assists the controller in honouring them under either regime, recorded in the audit-trail.
DIM 06
Othello’s standing.PDPA: home regime, directly applicable. GDPR: applied to EU-facing work via SCCs + DPA. Both run honestly — neither overclaimed.

PLAIN LANGUAGE · Othello is a Thai PDPA-domiciled firm that runs EU-facing work to GDPR standard via SCCs and an Article 28 DPA. It does not claim Thailand is EU-adequate, and it does not treat its Bangkok base as a GDPR exemption. One handling discipline, two regimes, named per engagement.

★ Data Lifecycle · Intake to Confirmed Deletion

Six stages. Each with a documented gate. Data is controlled end to end.

How personal data inside a client document is handled from arrival to deletion. The transfer gate is first — before any EU-origin data reaches Bangkok, the SCC + TIA + DPA basis is in place. Nothing is processed on a basis that is not documented. See Our Process for the bench workflow this sits inside.

★ LAWFUL-BASIS-FIRST · AUDIT-TRAIL RETAINED

From intake to confirmed deletion. Bangkok-controlled throughout.

Every engagement carrying personal data progresses through the six stages below. The lawful basis and transfer mechanism are set before intake — DPA executed, SCCs incorporated, TIA on file for EU-origin data. The data is then controlled inside Othello infrastructure to confirmed deletion.

STAGE 01
Basis & transfer gate.Regime identified (GDPR / PDPA / both). For EU-origin data, DPA executed, SCCs incorporated, TIA on file. NDA from first email already in force. No data crosses without a documented basis.
STAGE 02
Secure intake.Documents received over encrypted transfer channels, not default email. Logged on receipt. Scope and data categories confirmed against the DPA. Minimisation applied — only what the engagement needs.
STAGE 03
Controlled processing.Processed in-house by the named bench under least-privilege access — no consumer LLM endpoints, no unscreened tools. Encrypted at rest. Access logged; need-to-know enforced.
STAGE 04
Editorial & QA.Independent editor reviews within the same controlled environment (ISO 17100 stage two). No data leaves the perimeter for QA. Any sub-processor is screened and flow-down-bound. Disclosed to the controller.
STAGE 05
Delivery.Deliverable returned over secure channel. Data-subject-rights requests (via the controller) actioned promptly — retrieval, correction, or extraction. Every action recorded in the audit-trail / RoPA.
STAGE 06
Retention & deletion.Held only for the DPA-agreed window, then securely deleted or returned, with written confirmation (Art 5 storage limitation). Audit-trail of the lifecycle retained Bangkok-side for accountability.
★ GDPR FAQ · Ten Common Asks

Data-protection questions answered up front.

Substantive answers to what privacy officers, Big Law procurement, and EU-facing clients routinely ask about how a Bangkok firm handles personal data under GDPR. Click to expand each.

Q.01Does GDPR even apply to a Bangkok-based firm?

Yes, where EU data subjects are involved. Under Article 3, GDPR applies extraterritorially — processing the personal data of individuals in the EU brings a non-EU firm into scope regardless of where it sits. Othello does not treat its Bangkok domicile as an exemption. EU-facing engagements are run to GDPR standard, with the EU → Thailand transfer handled under Standard Contractual Clauses.

Q.02Is Othello a data controller or a data processor?

A data processor. Othello processes personal data inside documents on the documented instructions of the client, who is the controller and determines the purposes. This role allocation is recorded in the engagement and the Article 28 Data Processing Agreement, and it dictates the obligations Othello accepts — confidentiality, security, sub-processor control, breach notification, audit, and deletion.

Q.03Thailand has no EU adequacy decision — so how is the transfer lawful?

Through Standard Contractual Clauses, not adequacy. Thailand is not on the EU’s list of adequate countries, so EU → Thailand transfers run on the modernised SCCs (Decision (EU) 2021/914) incorporated into the DPA, accompanied by a Transfer Impact Assessment and documented supplementary measures (encryption, access control, minimisation). Othello will not claim Thailand is “adequate” — it documents the actual lawful mechanism the regulation requires for a non-adequate third country.

Q.04What is a Transfer Impact Assessment and do you do one?

After the Schrems II ruling, SCCs alone are not enough — the data exporter must assess whether the destination country offers protection essentially equivalent to the GDPR, and add supplementary measures where it falls short. That assessment is the Transfer Impact Assessment. For EU-origin engagements, the TIA documents the measures — encryption with Othello-held keys, least-privilege access, in-house processing, minimisation — and is reassessed at least annually.

Q.05Will you sign a Data Processing Agreement?

Yes. Every EU-facing engagement can run under an Article 28 DPA, available on request and issued under mutual NDA. The DPA records the subject matter, duration, nature and purpose of processing, the types of personal data and categories of data subject, the controller’s instructions, and Othello’s obligations — with the SCCs incorporated for the transfer. The DPA is the instrument; SCCs sit inside it.

Q.06Do you use machine translation or consumer AI tools on our documents?

No — not for substantive client content. Othello does not route personal data inside client documents through consumer LLM endpoints or unscreened third-party machine-translation services. Content is processed within Othello-controlled infrastructure by the named bench. Silent data egress to free translation tools is the single most common GDPR failure in the translation market — and the one Othello is built to avoid.

Q.07How fast do you notify us of a personal-data breach?

As a processor, Othello’s obligation under Article 33 is to notify the controller without undue delay on becoming aware of a breach — so the controller can meet its own 72-hour supervisory-authority deadline. Othello runs a documented incident-response procedure: detection, containment, assessment, controller notification, remediation, and a recorded post-incident review.

Q.08How do you handle data-subject rights requests?

As processor, Othello does not field requests directly from data subjects — it assists the controller in honouring them (Articles 15–21: access, rectification, erasure, restriction, portability, objection). On the controller’s instruction, Othello promptly retrieves, corrects, extracts, or deletes the relevant material from Othello-controlled infrastructure and records the action in the audit-trail.

Q.09How long do you keep our documents, and do you confirm deletion?

Only for the agreed retention window, then secure deletion with written confirmation (Article 5 storage limitation). The window is set in the DPA. On engagement close or controller instruction, Othello deletes or returns the data and confirms in writing, with the lifecycle recorded in the audit-trail. No retention “just in case.”

Q.10How does GDPR relate to PDPA, and to Othello’s wider engagement framework?

PDPA is Othello’s home regime; GDPR applies to EU-facing work. Thailand’s PDPA was modelled on GDPR, so the two map closely — Othello runs one handling discipline (in-house processing, encryption, minimisation, retention control, breach response) calibrated to satisfy the stricter of the two on any point. This sits inside the firm’s founding standard — established 2020 on US government contracts under FAR-grade verification and NDA-from-first-email confidentiality. See PDPA Compliance. Email [email protected] or call +66 02-859-2145.

Personal data, handled lawfully.

Othello runs EU-facing work to GDPR standard via SCCs and an Article 28 DPA — processor role, in-house processing, encryption, minimisation, 72-hour breach discipline, confirmed deletion — and is PDPA-domiciled in Thailand. The transfer basis is documented before any data crosses; the audit-trail is retained Bangkok-side. ≤1 BH acknowledgement · DPA on request under mutual NDA.

+66 02-859-2145 · [email protected]
Unit 12-03, Chartered Square · 152 N Sathon Rd · Si Lom · Bangkok 10500
GDPR Compliance · Reg (EU) 2016/679 · Data Processor · Art 28 DPA · SCCs 2021/914 + TIA · 72-Hour Breach Notice · In-House · Encrypted · Minimised · PDPA-Domiciled · GDPR-Aligned · NDA From First Email Othello International